RE: NEW ISSUE (3638) Need to be able to specify ordering between assertions from Daniel Roth on 2006-09-03 (public-ws-policy@w3.org from September 2006)

From: Daniel Roth <Daniel.Roth@microsoft.com>
Date: Sun, 3 Sep 2006 13:42:31 -0700
To: "Ashok Malhotra" <ashok.malhotra@oracle.com>, <public-ws-policy@w3.org>
Message-ID: <CACD2E414F77164CA4F324AF9A2094F3026AA721@RED-MSG-70.redmond.corp.microsoft.com>

Hi Ashok,

WS-SecurityPolicy provides assertions to control the order of
cryptographic operations (runtime behavior) on a message. The order of
assertions in a policy alternative has no bearing on the order of
cryptographic operations.  In fact, the WS-SecurityPolicy Section 5
says, 'when assertions defined in this section are present in a policy,
the order of those assertions in that policy has no effect on the order
of signature and encryption operations' [1].  

You can use the same trick of encoding ordering semantics into the QName
of an assertion.  For example, if you have a log assertion and a
timestamp assertion, you could use a timestampBeforeLogging assertion to
express that you apply a timestamp before creating a log entry.  

A significant advantage of using assertions to express the ordering of
the behaviors described in a policy alternative is that the technique
works well with policy intersection.  The policy intersection algorithm
in WS-Policy just works. 
 
[1] http://www.oasis-open.org/committees/download.php/16569/  

Daniel Roth

-----Original Message-----
From: public-ws-policy-request@w3.org
[mailto:public-ws-policy-request@w3.org] On Behalf Of Ashok Malhotra
Sent: Tuesday, August 29, 2006 7:25 AM
To: public-ws-policy@w3.org
Subject: NEW ISSUE (3638) Need to be able to specify ordering between
assertions


TITLE: Need to be able to specify ordering between assertions

DESCRIPTION:
The Framework spec says "Assertions within an alternative are not
ordered, and thus aspects such as the order in which behaviors
(indicated by assertions) are applied to a policy_subject are beyond the
scope of this specification".   However, the SecurityPolicy spec
requires ordering between signing and encryption and defines assertions
to control the order between such assertions.

We feel that ordering between assertions may be required in other cases
as well and request an ordering mechanism between such assertions.  For
example, consider an assertion that adds something to a message.
Perhaps a timestamp.  We may want to say that the timestamp is added
before a log record is written.

JUSTIFICATION: See above

TARGET: Framework 

PROPOSAL:
Two possible mechanisms come immediately to mind: an attribute on the
assertion to indicate the order and
a special assertion that says one assertions comes before another.  But,
clearly other mechanisms are 
possible.  We have a creative WG!

All the best, Ashok

Received on Sunday, 3 September 2006 20:42:51 UTC